cve/published/2024/CVE-2024-26996.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-26996: usb: gadget: f_ncm: Fix UAF ncm object at re-bind after usb ep transport error

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 usb: gadget: f_ncm: Fix UAF ncm object at re-bind after usb ep transport error

 When ncm function is working and then stop usb0 interface for link down,
 eth_stop() is called. At this piont, accidentally if usb transport error
 should happen in usb_ep_enable(), 'in_ep' and/or 'out_ep' may not be enabled.

 After that, ncm_disable() is called to disable for ncm unbind
 but gether_disconnect() is never called since 'in_ep' is not enabled.

 As the result, ncm object is released in ncm unbind
 but 'dev->port_usb' associated to 'ncm->port' is not NULL.

 And when ncm bind again to recover netdev, ncm object is reallocated
 but usb0 interface is already associated to previous released ncm object.

 Therefore, once usb0 interface is up and eth_start_xmit() is called,
 released ncm object is dereferrenced and it might cause use-after-free memory.

 [function unlink via configfs]
   usb0: eth_stop dev->port_usb=ffffff9b179c3200
   --> error happens in usb_ep_enable().
   NCM: ncm_disable: ncm=ffffff9b179c3200
   --> no gether_disconnect() since ncm->port.in_ep->enabled is false.
   NCM: ncm_unbind: ncm unbind ncm=ffffff9b179c3200
   NCM: ncm_free: ncm free ncm=ffffff9b179c3200   <-- released ncm

 [function link via configfs]
   NCM: ncm_alloc: ncm alloc ncm=ffffff9ac4f8a000
   NCM: ncm_bind: ncm bind ncm=ffffff9ac4f8a000
   NCM: ncm_set_alt: ncm=ffffff9ac4f8a000 alt=0
   usb0: eth_open dev->port_usb=ffffff9b179c3200  <-- previous released ncm
   usb0: eth_start dev->port_usb=ffffff9b179c3200 <--
   eth_start_xmit()
   --> dev->wrap()
   Unable to handle kernel paging request at virtual address dead00000000014f

 This patch addresses the issue by checking if 'ncm->netdev' is not NULL at
 ncm_disable() to call gether_disconnect() to deassociate 'dev->port_usb'.
 It's more reasonable to check 'ncm->netdev' to call gether_connect/disconnect
 rather than check 'ncm->port.in_ep->enabled' since it might not be enabled
 but the gether connection might be established.

 The Linux kernel CVE team has assigned CVE-2024-26996 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 5.15.157 with commit 7f67c2020cb08499c400abf0fc32c65e4d9a09ca
 	Fixed in 6.1.88 with commit 0588bbbd718a8130b98c54518f1e0b569ce60a93
 	Fixed in 6.6.29 with commit f356fd0cbd9c9cbd0854657a80d1608d0d732db3
 	Fixed in 6.8.8 with commit 7250326cbb1f4f90391ac511a126b936cefb5bb7
 	Fixed in 6.9 with commit 6334b8e4553cc69f51e383c9de545082213d785e

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-26996
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/usb/gadget/function/f_ncm.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/7f67c2020cb08499c400abf0fc32c65e4d9a09ca
 	https://git.kernel.org/stable/c/0588bbbd718a8130b98c54518f1e0b569ce60a93
 	https://git.kernel.org/stable/c/f356fd0cbd9c9cbd0854657a80d1608d0d732db3
 	https://git.kernel.org/stable/c/7250326cbb1f4f90391ac511a126b936cefb5bb7
 	https://git.kernel.org/stable/c/6334b8e4553cc69f51e383c9de545082213d785e
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-26996: usb: gadget: f_ncm: Fix UAF ncm object at re-bind after usb ep transport error

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	usb: gadget: f_ncm: Fix UAF ncm object at re-bind after usb ep transport error

	When ncm function is working and then stop usb0 interface for link down,
	eth_stop() is called. At this piont, accidentally if usb transport error
	should happen in usb_ep_enable(), 'in_ep' and/or 'out_ep' may not be enabled.

	After that, ncm_disable() is called to disable for ncm unbind
	but gether_disconnect() is never called since 'in_ep' is not enabled.

	As the result, ncm object is released in ncm unbind
	but 'dev->port_usb' associated to 'ncm->port' is not NULL.

	And when ncm bind again to recover netdev, ncm object is reallocated
	but usb0 interface is already associated to previous released ncm object.

	Therefore, once usb0 interface is up and eth_start_xmit() is called,
	released ncm object is dereferrenced and it might cause use-after-free memory.

	[function unlink via configfs]
	usb0: eth_stop dev->port_usb=ffffff9b179c3200
	--> error happens in usb_ep_enable().
	NCM: ncm_disable: ncm=ffffff9b179c3200
	--> no gether_disconnect() since ncm->port.in_ep->enabled is false.
	NCM: ncm_unbind: ncm unbind ncm=ffffff9b179c3200
	NCM: ncm_free: ncm free ncm=ffffff9b179c3200 <-- released ncm

	[function link via configfs]
	NCM: ncm_alloc: ncm alloc ncm=ffffff9ac4f8a000
	NCM: ncm_bind: ncm bind ncm=ffffff9ac4f8a000
	NCM: ncm_set_alt: ncm=ffffff9ac4f8a000 alt=0
	usb0: eth_open dev->port_usb=ffffff9b179c3200 <-- previous released ncm
	usb0: eth_start dev->port_usb=ffffff9b179c3200 <--
	eth_start_xmit()
	--> dev->wrap()
	Unable to handle kernel paging request at virtual address dead00000000014f

	This patch addresses the issue by checking if 'ncm->netdev' is not NULL at
	ncm_disable() to call gether_disconnect() to deassociate 'dev->port_usb'.
	It's more reasonable to check 'ncm->netdev' to call gether_connect/disconnect
	rather than check 'ncm->port.in_ep->enabled' since it might not be enabled
	but the gether connection might be established.

	The Linux kernel CVE team has assigned CVE-2024-26996 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 5.15.157 with commit 7f67c2020cb08499c400abf0fc32c65e4d9a09ca
	Fixed in 6.1.88 with commit 0588bbbd718a8130b98c54518f1e0b569ce60a93
	Fixed in 6.6.29 with commit f356fd0cbd9c9cbd0854657a80d1608d0d732db3
	Fixed in 6.8.8 with commit 7250326cbb1f4f90391ac511a126b936cefb5bb7
	Fixed in 6.9 with commit 6334b8e4553cc69f51e383c9de545082213d785e

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-26996
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/usb/gadget/function/f_ncm.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/7f67c2020cb08499c400abf0fc32c65e4d9a09ca
	https://git.kernel.org/stable/c/0588bbbd718a8130b98c54518f1e0b569ce60a93
	https://git.kernel.org/stable/c/f356fd0cbd9c9cbd0854657a80d1608d0d732db3
	https://git.kernel.org/stable/c/7250326cbb1f4f90391ac511a126b936cefb5bb7
	https://git.kernel.org/stable/c/6334b8e4553cc69f51e383c9de545082213d785e